dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
1380
share rss forum feed


bea0486

@btcentralplus.com

1 recommendation

[CCNA] Cisco 2900 configuratioN

Hi, I have just bought an old Cisco Catalyst 2900 and I wish to set up two different VLANs (unfortunately I dont have a cable to access the device via console). Via Web I could assign some ports to VLAN 1 and configure the IP of the device and the default gateway. However there is no way to do the same for the ports I assigned the VLAN2. I cannot configure any IP or similar. Does anyone have any ideas? Thanks


rolande
Certifiable
Premium,Mod
join:2002-05-24
Dallas, TX
kudos:6
Reviews:
·AT&T U-Verse
·ViaTalk
I believe you can only setup a single IP interface, anyway. You just choose which VLAN to configure it on. It is an L2 only switch and not a router. If you want to be able to route between the 2 VLANs you will need to configure one of the switch ports to trunk and connect a router to that port that has a VLAN subinterface configured for each VLAN.
--
Scott, CCIE #14618 Routing & Switching
»rolande.wordpress.com/


bea0486

@btcentralplus.com
Thanks rolande. What I want to do is to connect N computers to a VLAN1 (that will get IPs from a DHCP server of one of them) and then 3 other computers to another VLAN2. This VLAN2 is connected to the Internet and to a (firewall) computer with two interfaces (one in VLAN1 the other in VLAN2) that will forward data from one to another (that is what the switch cannot do as you pointed out).
With your comment, I think I understand better what I want to do... so I just need to configure the two VLANs and that is it, no need an IP or default gateway at all - because in VLAN1 the DHCP server will assign IPs and default gateway to everyone (the switch will not have an IP) and in VLAN2 the Internet router will assign IPs as well to the firewall and the switch again will not have an IP. I guess this is correct.

The only thing is that the switch can have an IP in the VLAN1 so machines can connect and configure/monitor it via Web. What I am not too sure is then what to specify in the default gateway, I guess the static IP of the firewall that provides DHCP as well. Thanks.

HELLFIRE
Premium
join:2009-11-25
kudos:18
reply to bea0486
Exactly WHICH model of 2900 did you get... and what's your definition of "old" exactly?

If it's circa 2924 or 294x / 295x generation, as rolande See Profile says, you'll get one (1) IP address on it for
management, but your DHCP / default gateway is going to be on your layer 3 device. Also I'm rather surprised
you didn't / couldn't get a 9pin to rollover cable for console config on this. 'Course, without the exact
make / model of switch, this is just speculation.

Regards


bea0486

@btcentralplus.com
It is a Cisco Catalyst 2950 (WS-C2950C-24) 24-Port Gigabit Ethernet Switch

markysharkey
Premium
join:2012-12-20
united kingd
reply to bea0486
You can leave the ip default-gateway blank and see if it works. If it doesn't, it should be set to the IP address of the DHCP server PC.
As already mentioned, you can only have one active Layer 3 Interface VLAN at a time. Whichever one you choose won't matter as it's only purpose is to give you an IP address for management.
If DHCP is giving you problems remember to add the ip helper-address command to the L3 VLAN, and point it at the DHCP server.

switch(config)#ip default-gateway xxx.xxx.xxx.xxx
switch(config)#interface vlan 1
switch(config-if)#ip add 192.168.1.10 255.255.255.0
switch(config-if)#ip helper-address xxx.xxx.xxx.xxx (this is the ip address of the DHCP server)
 

--
Binary is as easy as 01 10 11


bea0486

@btcentralplus.com
Many thanks to all, I think it is more clear for me now.

HELLFIRE
Premium
join:2009-11-25
kudos:18
reply to bea0486
In which case what I said earlier holds.

I'm guessing you're doing router-on-a-stick? Make sure your trunk config's right on the 2950 end
and whatever's your router upstream.

Regards


bea0486

@btcentralplus.com
I am sorry, I do not really know what "router-on-a-stick", "trunk" and "router upstream" mean. I am a bit newbie : /

What I will have is a connection to a router providing me DHCP and Internet. This router will be connected through VLAN2 to my firewall, which will redirect all traffic to the second network interface to VLAN1. The firewall as well will provide DHCP for all computers in VLAN1. I think it is clear for me that the switch will only have an IP for management purposes and that is fine I guess with my configuration.

Thanks.

Network Guy
Premium
join:2000-08-25
New York
kudos:2
Reviews:
·Future Nine Corp..
·T-Mobile US

1 edit
As mentioned, you will need a "router on a stick" configuration.

Easiest, cheapest way I know to accomplish this would be getting a Cisco 1721 with one 1ENET WIC.

Create two subinterfaces on F0 on the 1721; F0.1 for VLAN1, use IANA address 192.168.0.1/24 and F0.2 for VLAN2 using IANA address 192.168.1.1/24. Your 2950 will know about these subinterfaces when you configure a trunk port to connect it to the router's E0 interface and forward traffic between the VLAN's accordingly.

What I don't understand is why not simplify your configuration and have all computers in one subnet? Unless you're purposely not wanting certain machines to get online?

Edit: Oops.. I mean F0.1 and F0.2

HELLFIRE
Premium
join:2009-11-25
kudos:18
reply to bea0486
said by bea0486 :

I am sorry, I do not really know what "router-on-a-stick", "trunk" and "router upstream" mean. I am a bit newbie : /

Dig up your CCNA study materials and look up "router-on-a-stick" and "trunk" and do some reading... you may
also want to do some of the labs associated with them to get the concepts to stick in your head, but generally
speaking they're pretty entry-level CCNA concepts you're going to have to learn. Now's as good a time as any
to do 'em, I say...

said by bea0486 :

What I will have is a connection to a router providing me DHCP and Internet. This router will be connected through VLAN2 to my firewall, which will redirect all traffic to the second network interface to VLAN1. The firewall as well will provide DHCP for all computers in VLAN1.

What make / model is this router exactly?

Secondly, running untrusted traffic through 2950 VLAN2, then back out it again through 2950 VLAN1 leaves you a single point
of failure, never mind it being a VERY VERY bad idea from a design and security perspective. I agree with Network Guy See Profile
what is your design requirements that it needed to be set up this way?

Regards

cramer
Premium
join:2007-04-10
Raleigh, NC
kudos:9
reply to Network Guy
Note: the WIC-1ENT cannot do vlans. The 1721/1751 builtin f0 can. A 1720/1750 cannot, so don't bother buying one.

Network Guy
Premium
join:2000-08-25
New York
kudos:2
Correct. He would use the WIC-1ENET for the WAN connection, and the built-in F0 as the internal trunk.

Assuming the 1721 would be the edge router that is. I have no idea what he means by "firewall".


bea0486

@btcentralplus.com
Thank you all, you are excellent (Btw, I am "she").

By a firewall I mean a computer running Ubuntu server (or IPsec...), with two network interfaces, filtering traffic coming from the Internet and providing DHCP and DNS services for the internal network. This configuration allows me to block external access. I am not sure the Cisco model of the router, but it is shared within several networks and I cannot manage it.

I agree that there is a single point of failure... but I am not sure what else I could do... If the firewall computer breaks, I am done. If the Cisco 2950 breaks, I am done. I was thinking of having a second Cisco switch just as a "backup" - I know this is not very elegant. The internal network is small (200 computers).

Network Guy
Premium
join:2000-08-25
New York
kudos:2
Reviews:
·Future Nine Corp..
·T-Mobile US
Click for full size
Sorry for thinking you were a he.

So I drew a little map in MS Paint of what I think it is that you're wanting to do.

The computers with the red line are in the same VLAN as the router you cannot manage and in the same VLAN as the outside interface of your firewall computer.

The computers with the green line are in the same VLAN as the inside interface of your firewall computer and the computers you want protected behind it.

Is this somewhat accurate? If so, I still don't get why you don't want all computers behind your firewall computer or behind your router. What's the business requirement?

If you're needing to segregate the computers in the red from the ones in the green, my little diagram is as easy as it will be for you. If your firewall computer provides DHCP and DNS services, you only need the same for the ones in the red, or configure static addresses and point to an external DNS server for resolution.

Getting computers in the red to communicate with the computers in the green will require opening some holes in your firewall computer.


bea0486

@btcentralplus.com
That is lovely, thanks very much.

Well, sorry if I did not explain myself properly. What I need is exactly what you drew but without the computers in the red VLAN ( - And thanks to this forum now it is clear to me how to configure it). So all computers have to be in the green, "protected" VLAN. However I know if the firewall computer breaks, the whole network will stop working (same if the CISCO 2950 breaks). That is my concern now. My way of solving it, and this might not be an elegant design solution for your expertise, would be to have an additional 2950 configured in the same way and ready to be used if the other fails. Same with the firewall: a mirror computer ready to jump in if something fails.

Network Guy
Premium
join:2000-08-25
New York
kudos:2
There's nothing ugly about your plan. That really is the way to go for your particular goal.

Good luck. Cheers

HELLFIRE
Premium
join:2009-11-25
kudos:18
reply to bea0486
said by bea0486 :

What I need is exactly what you drew but without the computers in the red VLAN

One way to simplfy this is instead of rerouting traffic first thru the 2950 to the firewall computer's RED interface,
then out it's GREEN interface is put both the firewall computer and 2950 inline with your traffic, something like :

router
|
V
firewall computer
|
V
2950
|
V
LAN hosts.
 

It doesn't address the single points of failure, but it keeps the configuration simple, especially for the 2950.

Regards